Visibility vs Data

Machine learning has provided organisations with more data but it has not provided greater visibility.

Shares

It is the summer holidays and the schools are out. If you have children you have been watching the weather forecast, with increasing dread, hoping that tomorrow will bring brighter weather. Weather forecasting is a pretty accurate science, based on crunching huge amounts of data using complex algorithms, but this is all abstracted away from us; weather forecasting has evolved to the point where we get the visibility we need of the risks we may face, without having to worry about the underlying data or analysis techniques. In security we are in the opposite position.

As threats have evolved, and as our networks and services have become more complex, businesses have deployed best practice layered security architectures. They have rolled out new technologies to deal with new threats, and the average number of different vendors a business can utilise within their security architecture has ballooned. The technology that has been deployed has and will continue to block a significant proportion of the threats we face, but it doesn’t block them all, as is evidenced by the increasing number of DDoS related outages and data breaches we see occurring around the world.

There is money to be made by disrupting the availability of our services or stealing our data, and attackers will continue to come up with new tools and techniques to ensure they can achieve their goals, and reap the pecuniary rewards. Attackers are adopting more stealthy techniques and using stolen credentials for example, rather than malware, to gain access to our networks, and these kinds of incursions fly under the radar of our traditional security solutions.

To identify these more stealthy attacks there has been an explosion in the availability of tools using behavioral and / or machine learning techniques to identify suspicious or malicious activities. Machine learning is hugely interesting, and its capabilities are amazing. Machine learning can find patterns and detect threats that would otherwise be difficult to identify; it is often said that people are good at identifying patterns – and we are – but we blink, get bored, have a finite window of memory. Machine learning algorithms can identify patterns that people can’t see, but they aren’t (yet) the answer to all of our problems.

Identifying suspicious activities and generating events is the first step in security, being able to take action on the detections we have is the second and most important. Most machine learning systems currently deliver events without the context needed for an analyst to quickly understand what is going on, and at present people make blocking decisions in security. So, machine learning as a technology, as with others before it, is yielding more data-points not better visibility of risk. The two are not the same.

A good way to think about this problem is to consider the difference between a spreadsheet and a graph. If I am presented with a spreadsheet containing multiple columns of data and asked to establish what the trends are, the first thing I do is draw a graph. A graph allows me to intuitively understand the data – I get visibility. Metaphorically speaking, in security we have built ourselves a big spreadsheet and keep adding columns – without adding the graphing functions that allow us to understand what is going on.

In security having a lot of events has been touted as good visibility, but as we all know most security teams are buried by the stream of information coming at them. Figuring out what to focus on - where the real threat lies – is a problem security analysts have to deal with every day. The problem is not that we have multiple layers of security containing products from multiple vendors, it is that in most cases we have nothing to collate and organise all of the ‘data’ (events) we have into a real view of threats. This means that our (scarce) security resources effectively waste a lot of their time chasing false positives and moving between poorly integrated product rather than problem centric workflows.

This is something we need to solve as an industry. Even products and solutions that are touted as easy to use, tend be ‘easy to use’ for dedicated security analysts – and only larger enterprises can resource teams of people with the right skillsets. Smaller enterprise and SME organisations have the same risks, and have data valuable to attackers, but don’t have the resources needed to manage their risk. This is unlikely to change, as the skills shortage in the industry is not likely to resolve itself in the near future.

This all sounds very bleak, but it isn’t. At the big security conferences this year, such as RSA and Cisco Live, there seems to be a growing acceptance of the above, and that as an industry we need to providing two things: firstly, security solutions that enable unified workflows, leveraging smart data derived from network activity and beyond, providing true visibility of threats and allowing security analysts to focus their time and energy in the right place; and, secondly, security solutions that can be easily operationalised by managed security service providers, allowing smaller organisations access to the best defensive capabilities.

The threats we face change all of the time, and our network and service architectures are going through a significant shift at the moment due to digital transformation and cloud. Businesses see agility as a necessity moving forward, allowing them to increase revenue, increase competitiveness, reduce costs, reduce time-to-market AND reduce risk – all at the same time. Security has to be seen as an enabler – not a barrier – to new ideas and business directions, and if we can achieve this then we can all have a brighter future.